Corridor’s Pull Request (PR) review feature acts as an automated security reviewer for your code changes. Whenever you open or update a PR, Corridor analyzes the diff for potential security issues and provides feedback directly in the PR.
Developer workflow
Treat Corridor’s comments like those from a human reviewer specialized in security:
- Understand the issue: Read the explanation and remediation guidance
- Push a fix: Push additional commits to address the problem. Corridor will re-check the PR on the new commit
- Handle false positives: If you believe it’s a false positive, mark it as such with feedback. This helps Corridor learn and helps the security team adjust guardrails
Once all issues are resolved, Corridor’s status check will turn green and you can merge knowing the security review is clear.
Configuration
PR review settings are found on the PR Reviews page → Configure (top right corner). See Connecting GitHub for initial setup.
| Setting | Description |
|---|
| Enable Pull Request Reviews | Automatically review pull requests for security vulnerabilities |
| Block PRs with Security Findings | Prevent merging pull requests that contain security vulnerabilities (blocks can still be overridden in GitHub). Corridor Team only |
| Review Verbosity Mode | Control how inclusive the PR reviewer is when flagging potential security issues. Standard review mode provides a balanced approach between catching vulnerabilities and minimizing false positives |
| Leave Comments on Pull Requests | Post review comments directly on GitHub PRs |
| Disable Comments for Specific Repos | PRs from selected repositories will still be reviewed but comments won’t be posted |
Advanced settings
| Setting | Description |
|---|
| Enable Draft PR Reviews | Review pull requests that are marked as draft |
| Only review PRs with this label | Optionally restrict reviews to PRs with a specific label |
| Comment When No Issues Found | Leave a comment even when no vulnerabilities are detected |
| Enable Threat Modeling | Include threat model analysis with risk level and security considerations on all PRs |
How it works
When a pull request is opened or updated:
- Webhook trigger: GitHub sends a webhook to Corridor
- Diff analysis: Corridor analyzes only the changed code, understanding context from the broader codebase
- Security review: The changes are evaluated against security best practices, known vulnerability patterns, and your guardrails
- Review posted: Findings appear directly on the PR with inline comments
- Status check: Optionally block the PR until issues are resolved
Corridor’s reviews are context-aware—not just pattern matching. The review understands your codebase structure, existing security patterns, and the purpose of the changes. Each finding includes specific remediation steps, not generic advice.
Review limits
| Tier | PR Reviews |
|---|
| Pro | 100/month |
| Team | 100/dev/month |
| Enterprise | Unlimited |
Developer count is based on unique developers interacting with Corridor—IDE users, dashboard users, and PR authors—in the given month.
Next steps
